A few months ago I wrote a post: Does Apple care about your privacy?
In the post, I looked at Apple’s IDFA – ID For Advertising, and how it’s abused by companies like Facebook and many more to track you. I believed then, and still believe now, that what Apple is doing is not ethical and also not legal under the European GDPR.
Since then, Apple actually announced that iOS 14 would change the way IDFA was accessible to all apps by default and that it would start “Asking Permission to Track”. This is a welcome change. Sadly, despite iOS 14 rolling out already, and despite Apple’s claims on this page, this change is still not in place.
Luckily, however, I was able to collaborate on this issue with NOYB (None Of Your Business: a privacy organization; please consider donating if you care about your privacy). NOYB brought forward an official complaint against Apple. The complaint was not a GDPR complaint, but rather highlighting an ePrivacy violation. This is another legal framework which explicitly forbids the kind of stuff Apple is doing.
ePrivacy? do you mean the “cookie law”?
Even if you don’t know about the ePrivacy directive, you probably bump into it indirectly almost every day. Noticed those annoying cookie popups? that’s a sad byproduct of this directive. To be fair, the law does not mandate those popups, nor is it only about cookies. And most of those popups are not even compliant with the directive anyway. There’s an important principle that stands behind it however. That same principle Apple violates, as well as many other companies (whether they show a popup or not).
Here’s section 5.3 of the ePrivacy directive (2009)
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
What’s the gist of it? I am not a lawyer, but placing a piece of information on your device and then using it should require explicit, unambigious consent. Apple is indeed placing such piece of information (IDFA), and allowing apps to access it without asking for explicit consent.
Did iOS 14 fix this?
It might sound like iOS 14 solves this, right? They’re talking about “Asking Permission to track”. Unfortunately not. Let’s look at the change that Apple applied so far in iOS 14, and why I think it makes things even worse than before.
If you check out my previous post, it explains how to turn off IDFA on your iOS 13 device. I thought the setting was deliberately confusing then. It’s even more confusing in iOS 14.
To give credit when it’s due, at least now the setting isn’t buried at the end of the
Settings > Privacy section, but rather fairly prominently at the top, under
Asking permission to ask
Let’s break it down though, and see what it says, and what we can make of it.
Allow Apps to Request to Track(emphasis mine)
Initially, doesn’t sound too bad, does it? But hang on a minute. What?? I would understand if it said “Allow Apps to Track”. That would be clear. But what does it mean to allow apps to Request to track? So if I don’t allow them to Request it, then … ? They track me without requesting? WTF
Asking permission to ask for a friend
If this wasn’t confusing enough, there’s a bit of text that’s supposed to explain things, but probably makes things worse…
Allow apps to ask permission to track you across apps and websites owned by other companies.(emphasis mine)
If I allow the apps to ask permission to track, then they would do it with apps and websites owned by other companies? which other companies? And of course, if I don’t allow them to ask, then they won’t ask? or won’t track? or it won’t be other companies but the company that created the app?? WTFWTF
We (Apple) do not give a f**k
Oh, but maybe this last gem makes things clear, in case we weren’t confused enough.
Apps that don’t ask permission may still try to track you.
Right. Yeah. I see. So all this ask permission / request thing is entirely optional anyway? Like, WAT ? so I can prevent apps from asking, but then because they can’t ask, they will track me anyway? or if they can ask, they might not? I seriously don’t get it.
And in case you’re wondering what’s behind the Learn more… link, then I don’t think it helps much either. I tried to search for an online source for this info, but I couldn’t find any web page that actually hosts it. There’s no way to copy&paste it either. So I’ll manually type it in here for posterity:
App developers may choose to ask for your permission before they track you or your device across apps or websites they don’t own in order to target advertising to you, to measure your actions due to advertising or to share your information with data brokers.
If an app developer chooses to ask for your permission, and you give your permission to be tracked, the app can allow information about you or your device collected through the app (for example, a user or device ID, your device’s current Advertising Identifier, your name, email address or other identifying data provided by you) to be combined with information about you or your device collected by third parties. The combined information can then be used by the app developer or third parties for purposes of targeted advertising or advertising measurement. The app developer may also choose to share the information with data brokers, which may result in the linking of publicly available and other information about you or your device.
When you decline to give permission for the app to track you, the app is prevented from accessing your device’s Advertising Identifier (previously controlled through the Limit Ad Tracking setting on your device). App developers are responsible for ensuring they comply with your choices.
It is not considered tracking when the app developer combines information about you or your device for targeted advertising or advertising measurement purposes if the developer is doing so solely on your device and not sending the information off your device in a way that identifies you. In addition, it is not considered tracking when the app developer shares information about you or your device with data brokers for fraud detection or prevention or security purposes. However, the data broker must be performing the fraud detection or prevention or security services only on behalf of the app developer, which means the data broker cannot use the information about you or your device for any other purposes.
You can control whether apps can ask for permission to track you or access your device’s Advertising Identifier. If you don’t want to be asked for your permission, or do not want apps to access your device’s Advertising Identifier, you can disable Allow Apps to Request to Track. On iOS and iPadOS, go to Settings > Privacy > Tracking. On tvOS, go to Settings > General > Privacy > Tracking. When you disable Allow Apps to Request to Track, any app that attempts to ask for your permission will be blocked from asking and automatically informed that you have requested not to be tracked. In addition, all apps, other than those you have previously given permission to track, will be blocked from accessing the device’s Advertising Identifier. For apps you previously gave permission to track, you can tell those apps to stop tracking at the same time you disable Allow Apps to Request to Track.
This info popped quite a few other question marks and raised eyebrows for me, but I’ll leave out the dissection for now.
And in case you’re wondering, at the moment, by default, apps can freely access your IDFA without asking for permission. Allegedly, Apple will force apps to ask at some point, but it’s still not entirely clear when.
The bottom line: You should set this to OFF. Do not allow apps to request to track you. This seems to zero-out your IDFA when apps try to get it. It should also prevent apps from asking for permission in future, when Apple (hopefully) forces them to.
Thanks to my best friend Tal for proofreading, and to Stefano Rossetti from NOYB for pointing out I was quoting an older version of the ePrivacy directive (fixed).